There are concerns that internal audit has become an extension of the regulator, which isn’t healthy for internal audit’s mission. Stephanie Baxter explores the challenges and what improvements are needed.
Since the financial crisis of 2008, regulators have tried to step up their level of oversight of banks after accusations of being asleep at the wheel, and internal audit has come under a lot of scrutiny.
Regulators include internal audit as part of their regular bank examinations, and their evaluation can be quite onerous.
The Federal Reserve’s report on the recently collapsed Silicon Valley Bank has some important lessons for internal audit functions across all financial institutions.
The report cites many documents including a December 2022 letter from the Federal Reserve Bank of San Francisco and the California Department of Financial Protection and Innovation, which concluded that the internal audit at SVB was “not fully effective”.
Former president of The Institute of Internal Auditors, Richard Chambers, who is founder and chief executive of Richard F. Chambers and Associates, says regulators demand a tremendous amount of data from internal audit before they come in for examination and are often quite vocal about their concerns and criticisms.
Over the years, Chambers has noticed an interesting relationship between US banks’ internal audit functions and their regulators. He is concerned that regulators have attached themselves to internal audit in a way that perhaps is not healthy for the mission of internal audit.
“I’ve had regulators say to me ‘we consider internal audit to be our boots on the ground at the bank,” he explains. “That’s troubling to me, because internal audit as a function is designed to support both management and the board to provide assurance about the overall effectiveness of risks and assurance about the design and effectiveness of controls. But it seems as though the regulator is exercising more influence or control over the internal audit function.”
What problems does this cause?
There are concerns this will have a detrimental effect on the use of internal audit by management. If management are fearful that anything internal audit finds is going to end up in the lap of the regulator, will they perhaps find other ways to look at problems?
When a financial institution like SVB goes under, one of the first questions is ‘where were the internal auditors?’.
“But the better question is, why did management allow it to go on and why did the board not exercise stronger oversight?” says Chambers. “At the end of the day, if the key overseers of a financial services institution turn a blind eye or are not seriously attune to the risk that they’re taking on, heaven help us. Certainly, internal auditors have a very important role to play but often the tendency is to find someone to be a rhetorical scapegoat.”
The board of directors should oversee the overall effectiveness of those systems within a bank.
Chambers says he has been cautioning management and boards in banks to be sure that management is not averse to using internal audit because they fear the regulators’ tentacles going directly into internal audit to pick up on problems.
An individual who has worked for SVB and is speaking anonymously, agrees with Chambers that internal audit being seen as an extension of the regulators is an issue.
The person says: “I have worked at places where most of what internal audit was doing was trying to help the company mitigate regulatory issues and wasn’t doing independent auditing. And we got called out by the audit committee because we weren’t doing our job – we were an extension. This is when internal audit is not acting like a true third line of defence – a lot of times they’re just pushing paper or chasing ambulances.”
If internal audit knows the regulators are coming in, they do audits before the regulators come in versus doing true, risk-based auditing.
“They’re not robust and a lot of that is because the audit committee of the board is ineffective, and the leader is ineffective. They’re not doing independent risk assessments and planning the audits based on risk,” says the individual.
How to make internal audit more effective
What steps can banks take to improve the relationship with internal audit and make it more effective?
Chambers says internal audit being an extension of the regulator fundamentally undermines the notion and definition of internal audit, and that the audit committee must play a stronger role in overseeing internal audit.
“Internal audit is not a function to be directed by an outsider,” he says. “It’s an internal element of an organisation system of management controls or system of internal controls and risk management. So, management and the board should be the ones = providing the oversight and direction to internal audit, certainly not an outsider,” he says.
It is evident that change needs to start at the top. The head of internal audit should have a strong reporting relationship with both the CEO and the audit committee, not just one or the other, Chambers adds.
The audit committee should be robust enough that it truly understands risk and internal audit and what they should be doing.
The anonymous source says: “You also need to have an audit committee with the right level of expertise to truly review and challenge what internal audit is doing, and then you have to figure out how to have that true independence because that’s where it fails.”
Audit committees should also be making their own assessments of the chief audit executive.
The individual says: “When the chief audit executive is reporting administratively internally, somebody’s running their paycheck and giving them their performance reviews. That’s where independence fails and the whole system breaks down.”